valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
84645f4e59
SigmaHQ/rules/windows/builtin/win_alert_ad_user_backdoors.yml

27 lines
1.3 KiB
YAML
Raw Blame History

title: Active Directory User Backdoors
description: Detects scenarios where one can control another users account without having to use their credentials via msDS-AllowedToDelegateTo and or service principal names (SPN).
references:
- https://msdn.microsoft.com/en-us/library/cc220234.aspx
- https://adsecurity.org/?p=3466
author: '@neu5ron'
logsource:
product: windows
service: security
description1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
description2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
detection:
selection1:
EventID: 4738
AllowedToDelegateTo: '*'
selection2:
EventID: 5136
AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
selection3:
EventID: 5136
ObjectClass: 'user'
AttributeLDAPDisplayName: 'servicePrincipalName'
condition: 1 of them
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink